One of the best ways to prevent unauthorized access to the server is to require authentication for all operations processed in the server.
If the server is configured to reject unauthenticated requests, then attackers would either need to legitimate access to an account in the server, or they would need to somehow obtain credentials for a valid account.
The global configuration makes it easy to reject requests from unauthenticated clients through the following properties:
- Indicates whether the server rejects requests from unauthenticated clients, including clients that have not yet authenticated, clients whose most recent authentication attempt failed, or clients whose most recent authentication attempt was an anonymous bind.
- Specifies an optional set of criteria used to indicate that certain operations are allowed over an unauthenticated connection.
reject-unauthenticated-requests is true, then the
server allows a small number of requests from unauthenticated connections. These
- Bind requests, which are used to authenticate connections.
- StartTLS extended requests, which are used to add TLS encryption to initially insecure connections.
- The start administrative session extended request, which is used to indicate that subsequent operations are part of an administrative session. When it is used, this should be the first operation on the connection, even before bind and StartTLS operations. There is no inherent security risk in allowing this for unauthenticated clients.
If any other types of requests should be allowed for unauthenticated clients, then the
allowed-unauthenticated-requests-criteria property should be used
to define criteria that matches only those operations.